Chargeback Prevention

Mobile App Fraud Prevention & Security Elements

mobile app fraud

Table of Contents

  1. What is mobile app fraud?
  2. Common types of mobile app fraud
  3. How do I improve security for my mobile app?
  4. What is two-factor authentication?
  5. What is tokenization?
  6. What is mobile app fraud detection?
  7. Prevent fraud, prevent chargebacks
  8. Can you get scammed through Cash App?
  9. What do you do if you are scammed on Cash App?
  10. Can fraudsters get arrested for mobile app fraud?

At the start of the 21st century, trend forecasters predicted that our homes would be full of desktop computers by now. Given how quickly we were all warming up to personal computing and internet technology, it was a reasonable expectation, but it failed to anticipate the rise of mobile devices.

There’s no need to cover every available desktop surface with a computer when you’re walking around with a smartphone that can do whatever you need, but when it comes to cybersecurity most of us are still stuck in a desktop mindset. As more and more shopping and payment processing is happening through phones and tablets, what can we do to promote a safe and fraud-free mobile payments environment?

New call-to-actionThe number one rule of fraud is that it always follows the money. As customers have warmed to mobile eCommerce, payment apps, digital wallets, and other technological conveniences, fraudsters have followed right behind them. They're constantly testing new systems for weaknesses and finding vulnerabilities in the hardware, software, and human behaviors that enable them.

To maintain growth and confidence in mobile eCommerce, industry leaders — including merchants — must pay close attention to the development of new fraud schemes and utilize tools and defenses that can protect customer data. Remember that nearly every fraudulent transaction eventually turns into a chargeback, and true fraud chargebacks can't be reversed after the fact. For these types of disputes, prevention is the only solution.

What is mobile app fraud?

Mobile app fraud is any fraud that involves the use of a mobile app. Fraudsters make purchases using stolen payment credentials or compromised customer accounts, and may even try to hack the systems behind the apps themselves to gain access to customer data.

With the continuing rise in payments made through apps, they've become a lucrative target for fraudsters.

Mobile apps are often less secure than websites since there are fewer standardized plug-and-play security tools available, and the small purchases often found in these apps are a perfect target for card testing.

The internet has been around for a long time now, and has carried with it a tradition of openness and information sharing. This means that just about anyone capable of building a website can make it relatively secure just by downloading some free tools or copying and pasting the right blocks of code. Not so with mobile apps.

Apps have been a commercial venture from the very beginning, and don't have the luxury of running through a browser that handles most of the hard work for you.  That means that while there are some tools used for websites that also work with mobile apps, and plenty of articles like this one offering basic security advice, properly securing a mobile app is still far more difficult than a website.

Even if your app doesn’t store payment credentials or other financial data, breaking into it can be highly rewarding for fraudsters who might be looking for personal information to use in phishing or identity theft schemes. Account takeover attacks can also be extremely lucrative. Don’t fool yourself into thinking that your app is too inconsequential to be targeted, because any app that involves any kind of transaction or personal information is at risk.

Common types of mobile app fraud

While payment fraud is common on mobile apps, there are also several other common types of fraud types involving apps that can impact chargebacks or payments:

  • Click injection: Fraudsters can publish an app that detects when the user installs any other app and fakes an advertising click that gives the fraudsters credit for the install. This fraud works only on Android systems, since iOS doesn't notify existing apps of new installs.
  • Device fraud: Fraudsters set up a farm of outdated mobile devices set up to automatically download certain apps, click ads, and/or post reviews. This system is often used to commit affiliate fraud or for fraud-as-a-service.
  • Mobile payment app fraud: The fraudster attempts to convince a user that they are from a legitimate organization, like the IRS or a company running a sweepstakes, and use payment apps like Cash App or Venmo to get money to an untraceable account. 

How do I improve security for my mobile app?

First of all, don’t go searching for that one weird trick that’s going to secure your mobile app against intrusions. Hackers rarely restrict themselves to a single angle of attack, so if you want to keep your data safe you’re going to need to deploy a multi-layered approach to security.

Having more than one form of protection in place means that even if one or more of them fail, the others can still stop cyber criminals from delving any further.

A comprehensive approach to mobile security might involve two-factor authentication to keep out the password crackers, tokenization to protect sensitive data from exposure, and “smart” fraud detection tools to terminate fraudsters’ connections as soon as they start engaging in suspicious activity.

Let's go into each of these tools in more detail.

What is two-factor authentication?

Two-factor authentication is a method of confirming a user's identity by checking two separate factors, the first being a password and the second a phone number, email address, device, or fingerprint. A one-time password or fingerprint is used when logging in from a new device.

Many users are careless when it comes to creating passwords, and even the strongest passwords can be compromised when people share them, write them down, or use the same password for many different websites.

If a successful password entry prompts you to enter a code sent via email or SMS, that’s the end of the line for the vast majority of fraudsters. It's usually not a huge hurdle for legitimate customers either, since they can choose to remember their device, bypassing the need to enter an additional code on further login attempts unless a different device is detected.

In a payment processing context, simply requiring AVS and CVV matching will screen out all the fraudsters who only have credit card numbers and expiration dates to work with, though there are also more sophisticated fraud prevention tools available.

What is tokenization?

Encrypted data is safer than data stored in plain text, but even encryption can be broken. The safest option for transmitting data is usually tokenization: storing the raw data in a secure, remote location, and using placeholder data to reference it.

Digital wallets make good use of this technology. When you make a payment in this manner, the merchant receives only a randomized string of numbers, not your actual account number. Only the payment platform has the ability to trace it back to your card.

If fraudsters hack into your app and steal tokenized data, they can’t do anything with it. They’d have to hack into the Apple Pay or Google servers to get the associated payment credentials, and that’s a heist that few hackers could even contemplate attempting.

What is mobile app fraud detection?

The methods of fraud are constantly evolving, which means that even seemingly innocuous user behavior can sometimes be part of a scheme to exploit a script vulnerability or newly-discovered software bug.

Download your copy of An Introductory Guide to E-Commerce Fraud PreventionRules-based fraud detection logic, driven by artificial intelligence and machine learning technology, may be the answer to stopping emergent fraud methods before they can do real harm.

Advanced fraud detection tools can trace location, engage in velocity checking, analyze user behavior, and identify patterns consistent with fraud. With the right analytics, these tools can identify and block fraudsters in real time.

Prevent fraud, prevent chargebacks

App development can be a slow and bumpy process, so while it may not be feasible to add all of these features into your next update, they represent the current state of best practices for mobile security and should be incorporated, where applicable, as a priority.

By providing top-of-the-line mobile security and protecting your customers from fraud, you’ll reduce your true fraud chargebacks and be able to focus more on preventing and fighting illegitimate chargebacks, like friendly fraud.

We’re still in the middle of the great migration away from the desktop, but it could be just a few short years before a new generation of digital natives brings an end to computing’s long association with desks and chairs. In the meantime, we can start shifting more of our thinking around cybersecurity toward mobile platforms and begin adapting to the tools and habits that will keep our data safe in the days ahead.

FAQ

Can you get scammed through Cash App?

Yes. Fraudsters may use Cash App as a method for gaining cash from victims, or directly scam Cash App users to get access to their accounts and steal money from them.

What do you do if you are scammed on Cash App?

Cash App provides methods for reversing transactions manually if you catch the fraud soon enough. You can also request a dispute through Cash App customer support.

Can fraudsters get arrested for mobile app fraud?

Yes. Fraud over a mobile app is still fraud, and theft of identity or money can face fines and jail time.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:win@chargebackgurus.com

Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes